Getting Carded

The demand for proof of identity is as old as humanity itself. In the
footnotes of a paper titled, “From
the Wicked Emerges Wickedness,” Professor Yaakov Klein writes that
peoples in the Ancient Near East used corners from their clothes as identification.
Today, this would result in 35,000 Los Angeles Laker fans being identified
as Kobe Bryant. Something a little more unique and personal is called
for.

In computing, passwords are the primary form of personal identification.
Computers and passwords are like popcorn and salt; they appear inseparable.
But, despite the universal acceptance of passwords, they share the same
fundamental limitation as the corner of a garment: You can’t be sure that
the person using a password is the same person to whom the password was
issued. To get past this limitation, you need two-factor authentication—something
that couples a password with a unique item that can’t be forged, impersonated,
hijacked or bullied into yielding up its contents. The most common form
of two-factor authentication is a smart card.

A smart card, sometimes called a smart token or simply a token, houses
a microchip containing a cryptographic module, I/O processor and a dab
of memory. The cryptographic module generates public-private key pairs,
the Penn and Teller of cryptography. Anything encrypted by one key in
the pair can only be decrypted by the other key in the same pair.

The public key generated by a token can be certified by a Certification
Authority, which issues an X.509 certificate also stored in the token.
Figure 1 shows the certificate and keys stored inside an example token.
A Cryptographic Service Provider (CSP) in Windows can use the keys in
a smart card to sign communications digitally between a client and host.
Because every key pair is unique, the digital signature originating from
a particular token is unique.

Figure 1. Keys and certificates stored in a typical
smart token.

Here’s where two-factor authentication comes into play. The processor
in a smart card also stores a personal identification number (PIN). The
user must enter the PIN to obtain access to the keys stored in the card.
This makes smart card authentication dramatically better than a simple
password because a bad guy must both steal a user’s smart card and know
the PIN. A typical smart card locks up if the wrong PIN is entered more
than three times, so guessing the PIN is generally infeasible. Locked
cards can only be unlocked by someone who knows the administrator PIN.
If the incorrect administrator PIN is entered too many times, the card
is rendered useless until the contents are wiped.

Smart cards give you a level of accountability that is otherwise lacking
in standard password authentication. A user cannot deny having performed
a particular activity, claiming, “Someone must have stolen my password.”
You can set group policies that force a logoff (or lock the workstation)
if the smart card is removed. This prevents a user from being actively
logged on at multiple locations. You can also use smart cards to authenticate
dial-in and VPN connections.

Deploying Smart CardsSmart cards have an undeserved reputation for being complex to
manage, expensive to deploy and finicky to use. In practice, if you’ve
already deployed a Windows 2000-based Active Directory domain, you can
configure your system for smart card authentication with very little pain.

As you consider how best to use smart cards in your system, read through
the “Smart Card Deployment Cookbook” in Microsoft TechNet, http://microsoft.com/technet/treeview/default.asp?url=/TechNet/
security/prodtech/smrtcard/smrtcdcb/DEFAULT.asp, and the excellent
book Planning for PKI by Russ Housley and Tim Polk (Wiley Computer
Publishing.) These detailed references can be a little daunting; but don’t
let the convolutions of public key infrastructure (PKI) management discourage
you from using smart cards. Setting up a system for smart card authentication
isn’t as much trouble as you might think. Here’s a quick checklist:

Select a suitable smart card vendor.

Install a PKI with Certificate Authority servers capable of issuing
certificates for the public keys generated by smart cards, a process
called enrollment.

Enroll each user by issuing a smart card with a unique key and certificate.

Selecting a Smart Card VendorOK, so you’ve decided to take the plunge and deploy a smart card
solution. Start your search for a vendor at the Smart Card Hot List, www.andreae.com/hotlist.htm.
Most vendors sell an evaluation package with a reader, software and a
couple of cards for around $100. As you evaluate products, keep these
criteria in mind:

Compatibility. The clients in your network must have the correct
cryptographic support provider (CSP) to communicate with the processor
on the smart card. In general, this means installing additional software
at each desktop. Vendors are starting to simplify this task by packaging
their CSP drivers into a Windows Installer bundle (an .msi file.) When
you install the drivers, the standard logon window changes slightly
to include an icon for a smart card reader. Figure 2 shows an example.

Kerberos integration. Some smart card solutions have their
own authentication systems that require additional training and planning
for unforeseen exploits. The most desirable smart card solutions rely
on native Win2K/XP Kerberos for exchanging digitally signed authentication
information inside ticket-granting tickets.

FIPS 140-1 and 140-2 certification. Federal Information Processing
Standards (FIPS) document FIPS 140-2, Security Requirements for Cryptographic
Modules, defines a stringent set of criteria for vendors who sell cryptographic
products. This document is available at csrc.nist.gov/cryptval/140-2.htm.
An independent testing lab must validate that a product meets the FIPS
140-2 requirements. The National Institute of Standards and Technology
(NIST) maintains a list of cryptographic vendors and their products
that have passed FIPS 140 testing. This list is available at csrc.nist.gov/cryptval/140-1/1401val.htm.
(FIPS 140-2 recently superceded FIPS 140-1 and only a few vendors have
certified their products to the new 140-2 standards.)

Form factor. A standard smart card takes the form of a credit
card-sized package that’s inserted into a reader connected to the PC
via a parallel or USB port or a PCMCIA card. Rainbow Technologies and
ActivCard house their smart token inside a small USB dongle that doesn’t
require a reader. Either form factor ends up costing around $80 to $100
per node to deploy.

Smart Card User EnrollmentTo enroll a user, you must obtain a Smart Card Enrollment Agent
certificate from your Certificate Authority. This certificate must be
installed on the machine you use to do the user enrollments. The steps
for this process are detailed in the Smart Card Deployment Cookbook.

You must also prepare the smart card. Every vendor supplies a utility
for managing smart card properties, such as setting the user and administrator
PIN, unlocking the card after a user has repeatedly submitted an incorrect
PIN, managing stored certificates and so forth. It’s not unusual to find
that a vendor’s smart card and CSP are compatible with Windows XP but
the utility requires Win2K or even Windows NT. Figure 3 shows a typical
card management utility window.

Figure 3. A typical smart card management utility
interface, this one from SchlumbergerSema.

It’s extremely important that you assign a unique user PIN when initializing
a smart card. The default PINs from all manufacturers are well-known.
An eight-character PIN is generally sufficient. Tightly control the administrator
PIN. Make it complex and give it only to selected, trustworthy individuals.
If the administrator PIN becomes known, your smart card deployment is
compromised. You’d be forced to remove all smart card credentials from
AD and re-enroll all users.

Once the card’s been prepped, the user is enrolled using a Web-based
enrollment page from a Win2K Certificate Authority server. The URL is
http:///certsrv. At the welcome page, click Request a Certificate.
At the Request a Certificate page, click Advanced Certificate Request.
At the Advanced Certificate Request page, click the option that starts
Request a Certificate for a Smart Card. The Smart Card Certificate Enrollment
Station page opens. Figure 4 shows an example.

Once you enroll a user, test the smart card logon. Insert the smart card
into the reader or the USB dongle into the USB port. Winlogon realizes
you’re using a smart card rather than a standard password and contacts
the appropriate Cryptographic Service Provider to display a PIN window,
as shown in Figure 5. The CSP validates the PIN and permits access to
the keys, which are then used along with Kerberos to authenticate the
user. Within a few seconds, the desktop appears.

Figure 5. The PIN window in a smart card logon
process.

Say Good-bye to Passwords, AlmostAfter you deploy a smart card to a user, the User object in AD
still has a copy of the user’s old password. As part of your smart card
deployment, you should change the user passwords to long, complex values
that aren’t recorded anywhere. This accomplishes two things: It prevents
the users from bypassing the smart card logon process by entering a password,
and it foils password dump-and-crack programs that prey on simple passwords.

Additional
Information

For more about smart card installation, read Roberta
Bragg’s two-part column on the topic in the September
and October 2000 issues.

Also check out Roberta’s rundown on biometric products
in the June
2002 issue.

A 14-character password consisting of upper/lowercase letters, numbers
and special characters will defeat a password cracker. You may want to
use a password generator such as Random Password Generator Expert from
SoftDemon at www.softdemon.com.

The password situation isn’t as simple for administrators. Ordinarily,
an administrator doesn’t want to log on with full admin privileges. Win2K
has a Secondary Logon feature that uses the RunAs command (or a GUI equivalent)
to submit alternate credentials, but RunAs doesn’t currently support smart
card authentication. Neither does the NET USE command commonly used to
map drives to network shares using alternate credentials. This deficiency
is fixed in XP and .NET.

Do You Really Need This?If all this seems like a lot of work and expense, you might want
to consider that recovering from an intrusion caused by inadequately controlled
passwords often involves even more work and expense. The day is rapidly
approaching when we’ll look back at the era of simple password authentication
with the same bemusement that we get from watching a game of Pac-Man or
finding a 5-and-1/4-inch floppy disk in a junk drawer. You should at least
set up a smart card solution in a lab and get accustomed to using it.
You might also want to look at biometric authentication systems such as
fingerprint scanners and facial recognition solutions, that can be combined
with smart cards to avoid PINs.